changeset 1419:690fdcf93ac9

Fix for bug #184 and related user login issues.
author "Miks Kalnins <MiksKalnins@MaikuMori.com>"
date Fri, 13 Jul 2012 19:43:23 +0300
parents 25f390d1c829
children 7acb182186e2
files MoinMoin/apps/frontend/views.py MoinMoin/auth/__init__.py MoinMoin/user.py MoinMoin/util/crypto.py
diffstat 4 files changed, 18 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/apps/frontend/views.py	Wed Jul 11 11:35:45 2012 +0300
+++ b/MoinMoin/apps/frontend/views.py	Fri Jul 13 19:43:23 2012 +0300
@@ -1296,16 +1296,10 @@
                           )
 
 
-def _logout():
-    for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', ]:
-        if key in session:
-            del session[key]
-
-
 @frontend.route('/+logout')
 def logout():
     flash(_("You are now logged out."), "info")
-    _logout()
+    flaskg.user.logout_session()
     return redirect(url_for('.show_root'))
 
 
@@ -1470,8 +1464,7 @@
                             # send verification mail
                             is_ok, msg = flaskg.user.mail_email_verification()
                             if is_ok:
-                                _logout()
-                                flaskg.user.save()
+                                flaskg.user.logout_session()
                                 response['flash'].append((_('Your account has been disabled because you changed your email address. Please see the email we sent to your address to reactivate it.'), "info"))
                                 response['redirect'] = url_for('.show_root')
                             else:
--- a/MoinMoin/auth/__init__.py	Wed Jul 11 11:35:45 2012 +0300
+++ b/MoinMoin/auth/__init__.py	Fri Jul 13 19:43:23 2012 +0300
@@ -444,6 +444,9 @@
                                 trusted=trusted)
             if userobj.valid and not userobj.validate_session(session_token):
                 logging.debug("session token doesn't validate")
+                # Destroy current session since it's no longer valid.
+                userobj.logout_session(False)
+                # We didn't find user in session data.
                 userobj = None
     logging.debug("session started for user {0!r}".format(userobj))
     return userobj
--- a/MoinMoin/user.py	Wed Jul 11 11:35:45 2012 +0300
+++ b/MoinMoin/user.py	Fri Jul 13 19:43:23 2012 +0300
@@ -662,6 +662,15 @@
 
     # Sessions ---------------------------------------------------
 
+    def logout_session(self, all_browsers=True):
+        """ Terminate session in all browsers unless all_browsers is set to False """
+        if all_browsers:
+            self.generate_session_token(False)
+
+        for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', 'user.session_token', ]:
+            if key in session:
+                del session[key]
+
     def generate_session_token(self, save=True):
         """ Generate new session token and key pair. Used to validate sessions. """
         key, token = generate_token()
@@ -681,7 +690,8 @@
 
     def validate_session(self, token):
         """ Check if the session token is valid. """
-        return valid_token(self.profile[SESSION_KEY], token)
+        # Ignore timeout, it's already handled by session cookie and session key should never timeout.
+        return valid_token(self.profile[SESSION_KEY], token, None)
 
     # Account verification / Password recovery -------------------------------
 
--- a/MoinMoin/util/crypto.py	Wed Jul 11 11:35:45 2012 +0300
+++ b/MoinMoin/util/crypto.py	Fri Jul 13 19:43:23 2012 +0300
@@ -194,6 +194,7 @@
 
     :param key: give the secret key to verify the token
     :param token: the token to verify
+    :param timeout: timeout seconds, set to None to ignore timeout
     :rtype: bool
     :returns: token is valid and not timed out
     """
@@ -204,7 +205,7 @@
         stamp = int(parts[0])
     except ValueError:
         return False
-    if stamp + timeout < time.time():
+    if timeout and stamp + timeout < time.time():
         return False
     expected_token = generate_token(key, stamp)[1]
     return token == expected_token